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We are designing a wireless sensor node. 
It must be 

■ extra-neighborly 

■ cheap 

■ low- power 

■ light-weight 
Right now, 

■ The firmware works. 

■ TNBELT11 Hardware 

■ TNBELT20 In Progress 



Introductio. 



Telos B Hardware 
TinyOS Software 
Homegrown Hardware 
Homegrown Firmware 
Unneighborly Acts 
Neighborly Belt Buckles 
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LPAN 

Zigbee 

802.15.4 

Wireless HART 

ISA100 



Motes 



What are Wireless Sensors? 


■ Microcontroller 

■ Radio 

■ Batteries 

■ Sensors 
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Sensor Lifespa 



Conserve Battery Power 

■ Reduced Computation 

■ Reduced Broadcast Strength 

■ Intelligent Routing 

■ Reduced Listening 
Result 

■ Months of operation. 

■ Years, in theory and marketing literature. 



Sensor Cos 



Mythical Goal 

■ Less than a dollar a unit. 

■ Stick it and forget it. 
Reality 

■ $7/radio 

■ Not there yet. 
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Packet Size 



UDP 

■ 65,507 bytes 
802.15.4 

■ 128 bytes 
Ratio 

■ 512:1 



UDP 
Packet 



15.4 
Packet 



MSP430 
RAM+ROM 



CP, UDP, Philosophy 




rossbowTelos B 









J 








-n^lXi.lm ill 


i 








!>,.;..;. H| | 






S <3 o jl. rwiMMl fir" ' * * ^ 1 











Telos B 



16bit MSP430F1611 

■ 48kB of Flash 

■ lOkB of RAM 

■ ADC/DACs 

■ USARTs 

■ Hardware Multiplier 
CC2420 

Serial EEPROM 

FTDI 

Sensors 




Open Source Operating System 
Wireless Sensor Networks 
Component-Based Architecture 

■ rapid implementation 

■ minimal code size 
Tasks and Events 



TinyOS Components 



Keep things organized. 
Eliminate memory management. 
Abstract Hardware 



TinyOS Applications 



One per mote. 
Hardware-agnostic. 



Blink Application 



Blinks three LEDs, 

by three separate timers, 

with complete hardware-neutrality. 



Blink Makefile 



COMPONENT=BlinkAppC 
include $(MAKERULES) 



BlinkAppC.n 



configuration BlinkAppC{} 
implementation! 

components MainC, BlinkC, LedsC; 

components new TimerMilliC() as TimerO; 

components new TimerMilliC() as Timerl; 

components new TimerMilliC() as Timer2; 



■ 3 Timers 

■ Boot 

■ Leds 



BlinkC -> MainC. Boot; 



BlinkC. TimerO -> TimerO; 
BlinkC.Timerl -> Timerl; 
BlinkC. Timer2 -> Timer2; 
BlinkC. Leds -> LedsC; 



} 



module BlinkC 



{ 



uses interface Timer<TMilli> as TimerO; 
uses interface Timer<TMilli> as Timerl; 
uses interface Timer<TMilli> as Timer2; 
uses interface Leds; 
uses interface Boot; 



3 Timers 

Boot 

Leds 



} 



BlinkC.nc -- Starting Timers 



event void Boot.booted() 

{ 

call Timer0.startPeriodic( 250 ); 

call Timerl.startPeriodic( 500 ); 

call Timer2.startPeriodic( 1000 ); 
} 



250ms 
500ms 
1000ms 



BlinkC.nc -- Timer Event 



event void TimerO.firedO 

{ 

dbg("BlinkC", "Timer fired 
%s.\n", sim_time_stringO); 



call Leds.ledOToggleQ; 



} 



dbg() 

■ Debuging message. 

■ Simulation only. 



Three Ways to Blink 



TOSSIM 

■ x86 posix process 

■ debugging, logging 
Telos B 

■ Von Neumann Wireless Sensor 
MicaZ 

■ Harvard Wireless Sensor 
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BaseStation 

■ forwards radio packets to a PC 
RadioSenseToLeds 

■ broadcasts sensor reading 

■ displays any received sensor reading 
MultihopOscilloscope 

■ Relays sensor data over a multihop network. 

■ Parsed and graphed by PC. 



Application 



Movie Seats 
Steam Pipes 
Industrial Processes 
Soil Monitoring 
Building Security 
Tire Pressure 
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Party Mode! 
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File Edit Draw View Tools Library Options Window Help 




PCB Fab 




& 



Solderin 



% 



\ 



*F 



1 



«•*** 



r 



^Y-'TW-T 




" 




hen the Radio 



CAD Layout 
Purchase Parts 
Soldering, QFN 



Radio Layou 



Transmission Line Balun 

■ Cheap in bulk. 

■ Hell to draft. 
Discrete Balun 
Differential Antenna 
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Transmission Line Balun 




Purchasing Parts 



USA! USA! 

Wait for the board design! 

■ PCB Fab takes longer. 

■ Wasted purchases. 

Old chips are expensive. 
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Full-custom Firmware 

■ Lowers hardware parts cost. 

■ Longer development cycle. 
TinyOS 

■ Shorter development cycle. 

■ Debug before manufacturing. 



ull-custom Firmware 



C and Assembly 
Hardware Interrupts 
I/O Registers 



Power Management 
Radio Stack 
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330|jAatlMHz 


■ Active 


200nA at LPM4 


■ LPMO 




■ CPU, MCLK 




■ LPM1 




■ LPM2 




■ LPM3 




■ LPM4 




■ ACLK, Crystal 



PI/I2C 



Inter-chip Buses 

Unencrypted 

Serial 

■ Few wires. 

■ Easy to tap. 



Party Application 



Received PartyPacket of new ID 

■ Broadcast PartyPacket of same ID 

■ Blink pattern for that ID. 
Party Timer Fires 

■ Listen for a while. 

■ Broadcast PartyPacket of random ID 

■ Do not blink, but wait for reply. 



Party Application 



■ Test on Telos B 

■ Recompile Later 




Party Application 



Party Application 



Party Application 



Party Application 
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leaking It 



■Packet Crafting 
■Reverse Engineering 
■Stack Overflows 
■Firmware Patching 



802.15.4 Packet Crafting 



Cryptography 

Serial Streaming Modes 

Channels 



Reverse Engineering 



Dumping Firmware 
MSP430static 
Schematic Capture 



Stack Overflow 



Harvard A/on Neumann 
Goodspeed 

■ First mote overflow. 
Francillon 

■ First Harvard mote overflow. 

■ Return-oriented programming. 
Goodspeed and Francillon 

■ Blind return-oriented programming. 



Firmware Patching 




Sniffing and Fuzzing 
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